Solved

Cisco ISE Deployment

Posted on 2014-09-17
11
198 Views
Last Modified: 2015-09-23
Cisco ISE Deployment for NAC solution.
I would like to understand how this can be deployed for 2 Data center.
Data center 1 will be the primary & the Data center 2 will be the secondary.
All my sites will be getting connected to both of my Primary & Backup DC.
For my NAC solution I need to install the necessary Cisco ISE components in my both Production & Backup DC.
So in this case would like to understand how the fail over & the redundancy works for the Cisco ISE between the DC for my NAC solution.

If any one has any details or documents kindly share.
0
Comment
Question by:SrikantRajeev
  • 4
  • 4
  • 3
11 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40329399
Some good references

Setting Up Cisco ISE in a Distributed Environment
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_dis_deploy.html

Cisco TrustSec How-To Guide: ISE Deployment Types and Guidelines
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_50_ise_deployment_tg.pdf
In midsize to large enterprise deployments, ISE functions can be divided into several dedicated service nodes called “personas.” E.g. “Policy Administration Node (PAN)”,  “Policy Service Node (PSN)”,  “Monitoring Node (MNT)” and “Inline Posture Node (IPN)”. The main goal of dividing into dedicated service nodes is to distribute the load and traffic caused by authentication services, and to avoid points of failure by centralizing service in one appliance.

Check out
- Basic 2-Node (Redundant) Deployment: Up to 2,000 Endpoints. (SMB) When ISE appliances form redundancy, you can configure them to serve as primary and secondary nodes for administration and monitoring services. Having a single primary administration node and multiple secondary nodes is sometime referred as an ISE distributed deployment.

- Distributed Deployment: 2,000 to 10,000 Endpoints. (detaching the PSN from the PAN or MNT s) In this type of distributed deployment, we recommend two sets of Cisco ISE nodes for admin and monitoring functions and up to five PSNs. If you have more than two PSNs in single location, you can cluster those PSNs behind a load-balancing device (such as a Cisco Application Control Engine) for better performance. Additionally, other network access devices (NADs), such as ones in the second campus network, can point to the headquarter PSN as a secondary RADIUS server for high-availability purposes.

- Distributed Deployment: Up to 100,000 Endpoints (Maximum). ( separated to dedicated appliances ). ISE supports up to two dedicated PANs and two dedicated MNTs. Each dedicated appliance can serve as primary and secondary node to maintain resiliency in case of service failure. When these nodes are separated on dedicated appliances, the number of supported PSNs also increases. With 2x PANs and 2x MNTs, ISE supports up to 40 PSNs, supporting 100,000 endpoints concurrently.  If your company has a single data center, primary and secondary PANs and MNTs can be connected in different segments. With multiple data centers, it is more common to separate those personas in each data center location for disaster recovery (DR) purposes. Of course, the personas communicate with each other to synchronize endpoint data, session information and state, and configuration changes. With distributed personas, it is important to understand the types of communication between nodes to prevent a node from going out of sync.

A distributed deployment design needs to support all the required communication protocols between personas. For instance, PAN and PSN communicate to replicate and synchronize policy and configurations. Those two appliances use HTTPS (TCP/443) and Oracle DB Listener and AQ (TCP/1521) to perform replication and synchronization. ICMP is also used to perform a heartbeat between the PAN and PSN
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40329738
Simply put, failover just happens.  You list both ISE boxes in the NAC client if they're running the PSN persona.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40332021
For this from the switch perspective should i configure both the ISE IP Address as active standby.
So in case if my primary site is down will it point to the secondary site IP Address.
Is it recommended to have the redundancy at local site or is it sufficient to have redundancy at site level across 2 DC.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40332245
Yes, configure both on the switch, but remember to include both in any ACLs you have configured.

Redundancy scenarios depend on how your network is designed and how much redundancy you want.  It's quite common for ISE servers to be distributed across L3 boundaries in separate DCs for example.
0
 
LVL 61

Expert Comment

by:btan
ID: 40332413
Agree with Craigbeck, that is the normal for HA. And clustering with heartbeat is the normal as well. Even applicable during upgrade of switches to ensure alternate route are always make available.

Also at least one node in your distributed setup should assume the Monitoring persona. We recommend that you not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. You may want to consider the node be dedicated solely to monitoring for optimum performance. Others for redundancy
a) there must be at least one Monitoring ISE node in a distributed deployment. At the time of configuring your primary Administration ISE node, you must enable the Monitoring persona. After you have registered a secondary Monitoring ISE node in your deployment, you can edit the primary Administration ISE node and disable the Monitoring persona, if required.
b) When you register an ISE node as a secondary node, Cisco ISE immediately creates a database link from the primary to the secondary node and begins the process of replication. Replication is the process of sharing ISE configuration data from the primary to the secondary nodes. Replication ensures consistency among the configuration data present in all the ISE nodes that are part of your deployment.

If I may extract below for info
Guidelines for Setting Up a Distributed Deployment
Read the following statements carefully before you set up Cisco ISE in a distributed environment:
•There are two types of nodes in a Cisco ISE distributed deployment: the ISE node and the Inline Posture node. An ISE node can assume the Administration, Policy Service, and Monitoring personas at the same time. An ISE node can be a primary, secondary, or standalone node.

•The Administration, Policy Service, and Monitoring personas will be enabled by default in a standalone ISE node.

•You must first configure a primary Administration ISE node and then register secondary nodes to set up a distributed deployment.

•There can be only one primary ISE node in a distributed deployment and it must assume the Administration persona. You can have a maximum of two ISE nodes that assume the Administration persona, one being your primary and the other a secondary node.

•All Cisco ISE system-related configuration and configuration related to functionality should be done only on the primary Administration ISE node. The configuration changes that you perform on the primary Administration ISE node is replicated to all the secondary nodes in your deployment.

•When the primary Administration ISE node goes down, you must log into the user interface of the secondary Administration ISE node and make it the primary node.

•The Inline Posture node requires a dedicated node. No other persona or service can run on a node that is designated as an Inline Posture node.

•A properly configured Domain Name System (DNS) server is required for a distributed deployment to work correctly. You must enter the IP addresses and fully qualified domain names (FQDNs) of the ISE nodes that are part of your distributed deployment in the DNS server.

•If you want to uninstall Cisco ISE from a secondary node, you must first deregister it from the primary Administration ISE node. You can then reimage the standalone node and reregister it with the primary Administration ISE node.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40343371
Does ISE supports for the 802.1x MAC authentication for the PC's which are connecting to the Wired & Wireless network.
I want the PC's to authenticated based on their MAC Address using the ISE.
Let me know if this is possible.
0
 
LVL 61

Expert Comment

by:btan
ID: 40343609
My understanding it is possible using MAC via the MAB (MAC Authentication Bypass)
If a device (endpoint) does not support 802.1x, MAC address authentication can be used, based on the MAC address of the device. Offcourse, it is less secure because of MAC address spoofing. Hashing and encryption is not really needed because username and password are both the MAC address. EAP-MD5 or PAP is not always necessary.

the normal MAB scheme uses 4 phases during operations of the endpoint:
Phase 1: initation, this will timeout because there is no 802.1x response
Phase 2: MAC learning, the NAD will check the MAC address with ISE after the endpoint sends the first packet
Phase 3: Authorization, ISE can push some DACL or other authorization objects like VLANs
Phase 4: Accounting
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40343983
I just answered your other question, but I'll repeat here...

MAB is available in ISE.  There is already a policy in ISE to do wireless and wired MAB so you just configure your switches for 802.1x and MAB then add the MAC addresses to the internal endpoints database.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40344101
To add if you catch these extracted steps for ref
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sw_cnfg.html#48050
Step 8      Enable various authentication method options:

! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server
authentication event fail action next-method
authentication event server dead action authorize <VLAN_number>
authentication event server alive action reinitialize
! IOS Flex-Auth authentication should do 802.1X then MAB
authentication order dot1x mab
authentication priority dot1x mab
 
Step 9      Enable 802.1X port control on the switchport:

! Enables port-based authentication on the interface
authentication port-control auto
authentication violation restrict
 
Step 10      Enable MAC Authentication Bypass (MAB):

! Enable MAC Authentication Bypass (MAB)
mab
 
Step 11      Enable 802.1X on the switchport

! Enables 802.1X authentication on the interface
dot1x pae authenticator
 
Step 12      Set the retransmit period to 10 seconds:

dot1x timeout tx-period 10
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40363188
thanks.
checking this out.
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 40992213
Thanks
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now